CRA Art.12: Authorised Representatives — EU Mandate Requirements, Documentation Obligations, and Appointment Guide (Developer Guide 2026)

Post #462 in the sota.io EU Cyber Compliance Series

The EU Cyber Resilience Act (Regulation (EU) 2024/2847, "CRA") applies to any manufacturer placing a product with digital elements on the EU market — regardless of where that manufacturer is established. A US-based SaaS company, a Japanese hardware vendor, a Canadian open-source team with a commercial offering, an Indian B2B software provider: all are subject to CRA obligations if their products reach EU customers.

For these non-EU manufacturers, Article 12 creates a structural requirement that must be satisfied before the first product ships to the EU: designating an authorised representative established in the Union, by written mandate, with specific documented powers.

Article 12 is not a disclosure requirement or a best-practice recommendation. It is a market access condition. Products placed on the EU market by a non-EU manufacturer without a properly mandated authorised representative are non-compliant from the moment they cross the border — even if every Annex I technical requirement is met.

This guide explains:

• Who must designate an authorised representative
• What the written mandate must contain
• What obligations the representative carries
• The relationship between the representative, importers, and distributors
• How CRA Art.12 compares to the GDPR Art.27 representative (similar structure, different scope)
• Practical options for non-EU software companies

Who Needs an Authorised Representative

Art.12(1) is unambiguous: each manufacturer established outside the Union shall designate, by written mandate, an authorised representative established in the Union.

"Established outside the Union" means the manufacturer's registered place of business is in a third country — the United States, United Kingdom, Switzerland, Japan, Canada, India, or any non-EU/non-EEA jurisdiction. EU and EEA-established manufacturers are directly bound by CRA obligations and do not need a representative.

The Manufacturer Definition

Under CRA Art.3(12), a manufacturer is any natural or legal person who develops or manufactures products with digital elements, or who has products designed or manufactured and markets them under their name or trademark — whether for payment or free of charge.

This definition captures:

• SaaS providers offering services that include downloadable clients, agents, or SDKs (the downloadable component is a "product with digital elements")
• SDK/library publishers whose software is integrated into other products, if they place that software on the market under their name
• Hardware + firmware vendors selling connected devices to EU customers
• Open-source projects with commercial components where the commercial distribution entity is outside the EU
• White-label product companies manufacturing hardware or software sold under their own brand

It does not capture entities that merely import or distribute someone else's product — but those entities have their own obligations under Art.13 (importers) and Art.14 (distributors).

When the Requirement Is Not Triggered

Two scenarios allow a non-EU entity to avoid the Art.12 requirement:

Scenario A — An EU importer exists and accepts manufacturer obligations. Under CRA Art.13(5), if an importer places the product on the market under their own name or trademark, or modifies the product such that conformity with CRA may be affected, that importer takes on manufacturer obligations — including compliance with Art.13 in full. In this scenario, the importer effectively becomes the manufacturer for CRA purposes, and Art.12 does not apply independently. However, this scenario requires the importer to accept a significant liability shift.

Scenario B — The manufacturer has an EU branch with legal standing. If the non-EU parent has an EU-registered subsidiary that places the product on the market, and the subsidiary qualifies as the manufacturer (the legal entity under whose name the product is marketed in the EU), the Art.12 requirement is satisfied by structure — the manufacturer is EU-established.

Most software companies operating a non-EU parent with an EU legal entity for contracting purposes already satisfy Art.12 by default. The requirement primarily affects companies that sell directly to EU customers through their non-EU entity without any EU-established intermediary.

The Written Mandate: Minimum Required Powers

Art.12(2) specifies the minimum content of the mandate. A mandate that grants fewer powers than Art.12 requires is legally defective — the authorised representative cannot fulfil their CRA obligations without them.

Four Mandatory Powers

Power 1 — Registration

The authorised representative must be empowered to register the product with digital elements as required by CRA Art.22. Art.22 establishes a future EU product registration system (similar to the EUDAMED database for medical devices). As of 2026, the implementing rules for Art.22 have not been finalized, but the mandate must grant the representative authority to carry out registration once the system becomes operational.

Power 2 — Documentation retention

The representative must be empowered and equipped to keep at the disposal of market surveillance authorities:

• The EU declaration of conformity (DoC) for the product
• The technical documentation supporting the DoC

These documents must be retained for at least 10 years after the product is placed on the market, or for the duration of the support period if longer. For products with long support commitments (enterprise software, industrial control systems, connected devices), the retention period may substantially exceed 10 years.

Critically, "keeping at the disposal" means the representative must have physical or reliable electronic access to current, authentic copies of the documents — not merely the right to request them from the manufacturer. Market surveillance authorities may appear at short notice and require immediate document access.

Power 3 — Information provision

The representative must be empowered to provide any national authority, upon a reasoned request, with all information and documentation necessary to demonstrate the conformity of the product with CRA requirements. This is a pass-through obligation: the representative must be able to obtain the necessary information from the manufacturer and transmit it to the authority within the required timeframe.

Market surveillance authorities can request information under Art.54 and related provisions. Response timelines vary by national law but are typically 10 business days. The mandate must enable the representative to meet these timelines.

Power 4 — Cooperation with authorities

The representative must be empowered to cooperate with competent national authorities on any corrective action required to eliminate risks posed by the product. This includes:

• Providing access to testing samples
• Facilitating recall or withdrawal procedures
• Coordinating remediation communications
• Assisting in market surveillance investigations

What the Mandate Need Not Include

Art.12 does not make the authorised representative liable for the product's conformity in the same way the manufacturer is. The manufacturer remains the primary duty-bearer. The representative's obligations are procedural — documentation custody, authority cooperation, information provision — not technical.

The mandate does not need to grant product approval rights, technical review authority, or commercial representation. These functions may be added by agreement but are not required by Art.12.

A lean Art.12 mandate covers exactly the four statutory powers and no more. Many compliance service providers offer this as a standardized engagement.

Obligations of the Authorised Representative

Once mandated, the authorised representative carries obligations that are ongoing throughout the product's market presence, not merely at the time of designation.

Documentation Custody: What Must Be Held

The technical documentation package for a CRA product with digital elements includes:

The representative must hold or have reliable access to current versions of each of these documents. For software products with frequent release cycles, the documentation must track product versions. A representative holding documentation for v1.0 that was superseded by v2.7 is in breach if a market surveillance authority investigates the current version.

Responding to Market Surveillance Authorities

Market surveillance authorities (MSAs) in each EU Member State have powers to:

• Request technical documentation
• Request the EU declaration of conformity
• Require corrective action (including withdrawal from market)
• Impose interim prohibitions on product sales

When an MSA requests documentation from a product's authorised representative, the representative must:

1. Acknowledge the request immediately
2. Obtain documentation from the manufacturer if not held directly
3. Provide complete documentation within the MSA's specified timeframe
4. Communicate any disputes or ambiguities directly with the MSA (not delay)

A representative who cannot respond to an MSA request — because the manufacturer is unresponsive, documentation is unavailable, or the mandate does not grant sufficient authority — is in breach of Art.12. This creates reputational and, in some jurisdictions, legal liability for the representative independent of the manufacturer's position.

Reporting Product Risks

If the authorised representative becomes aware that a product poses a risk to EU users — through a disclosed vulnerability, a market surveillance alert, or media reporting — they must cooperate with the relevant national MSA regardless of whether the manufacturer has taken action. The representative cannot take a "wait for the manufacturer's instruction" posture when user safety is at stake.

This obligation makes the quality of the manufacturer-representative communication channel material: a representative who cannot reach the manufacturer in time to respond to a safety issue is structurally unable to fulfil Art.12.

The Representative-Importer-Distributor Chain

CRA Art.12 operates alongside the importer obligations in Art.13 and distributor obligations in Art.14. Understanding how these interact is important for supply chains where multiple economic operators are involved.

Authorised Representative vs Importer

An importer can simultaneously serve as the authorised representative if the manufacturer grants a mandate. This is common in distribution agreements where the EU distributor/importer also handles regulatory liaison. If the importer is mandated, there is no need for a separate authorised representative.

If there is no importer and no EU-established manufacturer, the authorised representative is the sole EU point of contact for market surveillance. This is the typical scenario for software products sold directly to EU end-users without an EU distribution intermediary.

When an Importer Exists

If the manufacturer's product reaches EU customers through an EU-based importer:

• The importer must verify that the manufacturer has designated an authorised representative (Art.13(2))
• The importer must verify that the product has an EU declaration of conformity
• The importer must affix their own name and contact information to the product or packaging
• If the manufacturer has not designated a representative, the importer's obligations do not substitute — both obligations remain unfulfilled

The importer cannot fill the Art.12 gap by default. Only a written mandate from the manufacturer creates an authorised representative.

CRA Art.12 vs GDPR Art.27: Same Structure, Different Scope

Software companies that already comply with GDPR will recognize the authorised representative structure. GDPR Art.27 requires non-EU controllers and processors who target EU individuals to designate an EU representative. The CRA Art.12 requirement is structurally similar but covers a different regulatory domain.

A company that already has a GDPR Art.27 representative in the EU is not automatically compliant with CRA Art.12. The scopes are different, the mandating requirements are different, and the supervising authorities are different. However, the same EU-established entity can be mandated to serve both functions if both mandates are properly documented and the entity has capacity to fulfil both roles.

Using a combined GDPR+CRA representative is a cost-efficient approach for smaller companies with limited EU presence.

Implementation Options for Non-EU Software Companies

Non-EU manufacturers have three practical paths to satisfying Art.12.

Option A — EU Subsidiary as Authorised Representative

If the manufacturer has an EU-registered subsidiary (GmbH, SAS, Ltd, etc.) that is legally capable of holding documentation and cooperating with authorities, the subsidiary can serve as authorised representative under a written mandate from the parent.

Advantages: Same corporate group, aligned interests, direct access to documentation, no third-party coordination.

Risks: If the subsidiary is shell-like (no staff, no operational capacity), market surveillance authorities may look through the structure to assess whether the representative can actually fulfil Art.12 obligations. An empty holding entity with no documentation access fails Art.12 functionally even if the mandate is correctly drafted.

Recommendation: Suitable when the EU subsidiary has operational staff, processes, and systems capable of document management and authority cooperation.

Option B — Professional Representative Service

A growing market of EU-based compliance service providers offers "authorized representative" services specifically for CRA, CE marking, and related EU product regulations. These providers maintain staff familiar with MSA processes, hold client documentation in secure systems, and respond to authority requests as a core service.

Advantages: Purpose-built for regulatory liaison; experienced with MSA communication; scalable across multiple products.

Risks: Service contract quality varies significantly. A mandate that grants fewer than the four Art.12 powers is invalid. The provider must have operational capacity to respond within MSA timelines — verify SLA terms explicitly.

Cost: Typically €500–€3,000/year per product line depending on documentation complexity and jurisdictions covered.

Recommendation: Suitable for companies without EU presence or with EU subsidiaries that lack regulatory capacity.

Option C — EU Business Partner (Importer as Authorised Representative)

If the manufacturer distributes through an EU-based partner who imports and sells the product, that partner can be mandated as the authorised representative in addition to serving as importer. This combines the Art.12 and Art.13 roles in one entity.

Advantages: No additional party required; the partner already has commercial skin in the game.

Risks: Distributor/importer relationships may not be stable across the 10-year documentation retention window. If the commercial relationship ends, the mandate terminates — but the Art.12 obligation does not. The manufacturer must designate a replacement immediately.

Recommendation: Suitable when the distribution relationship is long-term and the partner explicitly accepts the Art.12 mandate in writing. Not suitable for short-term or non-exclusive distribution arrangements.

Practical Implementation: The Mandate Document

The mandate is a legal document — not a generic email or terms-of-service clause. It should:

1. Identify the parties: Full legal name, registered address, and company registration number of both the manufacturer and the representative
2. Identify the products: Either by product name/model or by category, with version scope clearly stated
3. Grant all four Art.12(2) powers explicitly (registration, documentation retention, information provision, authority cooperation)
4. Specify documentation handling: How the manufacturer will provide and update documentation; who holds master copies; what happens if the relationship terminates
5. Set communication timelines: How quickly the manufacturer will respond to representative requests forwarding authority inquiries
6. Address termination: What happens to documentation at mandate end; obligation to notify the Commission and Member States if the mandate is revoked

The mandate should be signed by an officer with authority to bind the manufacturer and retained for the full documentation retention period.

Python: CRA Art.12 Mandate Completeness Checker

from dataclasses import dataclass, field
from typing import List


@dataclass
class CRAMandateChecker:
    """Validates an authorised representative mandate against Art.12(2) requirements."""

    manufacturer_name: str
    manufacturer_country: str
    representative_name: str
    representative_eu_member_state: str
    mandate_powers: List[str]
    products_in_scope: List[str]
    mandate_signed: bool = False
    documentation_access_described: bool = False
    termination_clause_present: bool = False

    REQUIRED_POWERS = [
        "product_registration",
        "documentation_retention",
        "information_provision",
        "authority_cooperation",
    ]

    def check_manufacturer_needs_representative(self) -> dict:
        eu_member_states = {
            "AT", "BE", "BG", "HR", "CY", "CZ", "DK", "EE", "FI", "FR",
            "DE", "GR", "HU", "IE", "IT", "LV", "LT", "LU", "MT", "NL",
            "PL", "PT", "RO", "SK", "SI", "ES", "SE",
        }
        eea_states = {"IS", "LI", "NO"}
        requires_rep = self.manufacturer_country not in eu_member_states | eea_states
        return {
            "requires_representative": requires_rep,
            "reason": (
                "Manufacturer is outside EU/EEA — Art.12 applies"
                if requires_rep
                else "Manufacturer is EU/EEA established — Art.12 does not apply"
            ),
        }

    def validate_mandate(self) -> dict:
        issues = []
        warnings = []

        # Check jurisdiction
        if not self.representative_eu_member_state:
            issues.append("CRITICAL: Representative must be established in an EU Member State")

        # Check required powers
        for power in self.REQUIRED_POWERS:
            if power not in self.mandate_powers:
                issues.append(f"MISSING POWER: '{power}' is mandatory under Art.12(2)")

        # Check signature
        if not self.mandate_signed:
            issues.append("DEFECTIVE: Mandate must be signed (written mandate required by Art.12(1))")

        # Check product scope
        if not self.products_in_scope:
            issues.append("INCOMPLETE: Mandate must identify the products in scope")

        # Check documentation access
        if not self.documentation_access_described:
            warnings.append(
                "WARNING: Mandate should describe how documentation will be "
                "provided and maintained (DoC, technical file, SBOM)"
            )

        # Check termination
        if not self.termination_clause_present:
            warnings.append(
                "WARNING: Mandate should address documentation handling on termination "
                "and obligation to designate a replacement representative"
            )

        return {
            "valid": len(issues) == 0,
            "critical_issues": issues,
            "warnings": warnings,
            "summary": (
                f"Mandate {'VALID' if len(issues) == 0 else 'DEFECTIVE'}: "
                f"{len(issues)} critical issues, {len(warnings)} warnings"
            ),
        }


# Example: non-EU manufacturer with incomplete mandate
checker = CRAMandateChecker(
    manufacturer_name="Acme Software Inc.",
    manufacturer_country="US",
    representative_name="EU Compliance GmbH",
    representative_eu_member_state="DE",
    mandate_powers=[
        "documentation_retention",
        "information_provision",
        "authority_cooperation",
        # Missing: "product_registration"
    ],
    products_in_scope=["Acme Security Agent v2.x"],
    mandate_signed=True,
    documentation_access_described=True,
    termination_clause_present=False,
)

result = checker.check_manufacturer_needs_representative()
print(result)
# {'requires_representative': True, 'reason': 'Manufacturer is outside EU/EEA — Art.12 applies'}

validation = checker.validate_mandate()
print(validation["summary"])
# Mandate DEFECTIVE: 1 critical issues, 1 warnings
for issue in validation["critical_issues"]:
    print(f"  ISSUE: {issue}")
# ISSUE: MISSING POWER: 'product_registration' is mandatory under Art.12(2)

Timeline and Applicability

Art.12 applies from 11 December 2027, when the core CRA obligations for most products become enforceable. However, since designating an authorised representative is a market access condition, manufacturers should establish their representative well in advance of the first product placement.

Two earlier deadlines affect related obligations:

• 11 September 2026: Art.14 (actively exploited vulnerability notifications to ENISA) and Art.15 (CVD policy) apply. Non-EU manufacturers subject to Art.14 may need a European point of contact — the authorised representative is the natural candidate
• 11 December 2026: Obligations for notified bodies and certain high-criticality product categories may apply earlier under implementing acts

For manufacturers currently distributing to EU customers, the practical recommendation is to designate an authorised representative by Q1 2027 at the latest — allowing time for mandate drafting, documentation transfer, and operational readiness before the December 2027 deadline.

Compliance Checklist: CRA Art.12 Authorised Representative

Trigger Assessment

• Determine where the manufacturing entity is legally established
• Confirm whether the manufacturing entity is the entity whose name appears on the product
• Identify whether an EU importer exists who accepts manufacturer obligations under Art.13(5)
• Confirm whether an EU subsidiary qualifies as the manufacturer for EU market purposes

Representative Designation

• Select an EU/EEA-established representative (Option A: subsidiary; Option B: professional service; Option C: importer)
• Verify the representative has operational capacity to hold documentation and respond to authorities
• Draft a written mandate explicitly granting all four Art.12(2) powers
• Specify the products covered and version scope
• Define documentation transfer and update procedures in the mandate
• Include termination provisions and obligations upon mandate end
• Sign the mandate with officers from both entities
• Retain the signed mandate for ≥10 years

Documentation Package for the Representative

• EU Declaration of Conformity (current version)
• Technical file (Annex V compliant — description, risk list, standards applied, conformity assessment records)
• Machine-readable SBOM (CycloneDX 1.4+ or SPDX 2.3+)
• CVD policy documentation
• Conformity assessment procedure records (Annex VI self-assessment or notified body certificate for Annex VIII products)
• Update process: define how documentation is updated when product versions change

Operational Readiness

• Establish communication channel with representative for MSA inquiries (response SLA ≤2 business days for authority-forwarded requests)
• Test documentation retrieval: can the representative access and provide the full technical file within 10 business days?
• If the representative is also the GDPR Art.27 representative, confirm both mandates are separately documented
• Register the representative's contact details with the Commission/EUDAMED once Art.22 implementing rules are finalized

Ongoing Maintenance

• Review mandate annually to ensure product scope remains current
• Update documentation package with each product version release
• Notify representative of any MSA inquiries or market surveillance alerts within 24 hours of receipt
• If authorised representative changes: designate replacement before terminating existing mandate; notify relevant market surveillance authorities

Key Takeaways

Art.12 creates a structural market access requirement — not a filing or notification. A non-EU manufacturer who has met every Annex I technical requirement but has no properly mandated authorised representative is non-compliant at the point of EU market entry.

The four mandatory mandate powers (registration, documentation retention, information provision, authority cooperation) are minimum requirements. A mandate granting fewer is legally defective.

The authorised representative role is procedural, not technical. The representative does not certify product safety — they ensure that documentation is available to authorities and that the regulatory channel between the non-EU manufacturer and EU market surveillance operates correctly.

Companies that have invested in GDPR Art.27 representative structures have already navigated analogous requirements. The CRA Art.12 implementation follows the same pattern: identify the gap (non-EU manufacturer without EU presence), select a capable representative, draft a compliant mandate, and maintain an operational documentation pipeline.

For more on CRA manufacturer obligations, see our guides on:

• CRA Art.9: Due Diligence for Third-Party Components — SBOM and Supply Chain Obligations
• CRA Art.10: Security Obligations During the Product Lifecycle
• CRA Art.11: Vulnerability Handling and the Ban on Shipping Known Bugs
• CRA Art.13: Manufacturer Obligations — Security-by-Design, SBOM, and 10-Year Update Support
• CRA Art.3: Definitions — Product with Digital Elements, Manufacturer, Vulnerability